Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
micahawitt
New Contributor III

Change SSLVPN IP

I have done some digging and haven't really seen anything, so if it has been posted, im sorry.

 

Currently we have a /29, the fortigate  ends with a 234.  I have a couple diff vlans, traffic wise that g out separate IP's.  I would like to make all VPN traffic on the 236 vs the default 234 ip that is the fortigate, is this possible?

4 REPLIES 4
brycemd
Contributor II

I have done this before but because the SSLVPN listens specifically on the interface assigned IP you actually need to do a VIP to send the SSLVPN port traffic on, in your case, 236 to 234

 

And then a WAN to WAN ipv4 policy using that VIP

 

So, since you need to VIP it and it still depends on the interface IP, it may not actually accomplish what you want

micahawitt
New Contributor III

So it looks like im sticking with that default IP. i would think at this point we would be able to decide what IP we want this to listen on especially since all the publics will typically be on that one interface anyway.

 

Thank you brycemd

tanr
Valued Contributor II

You can do it and make a different IP work without using a VIP, but it's a little weird. 

 

I create secondary IPs on the wan interface, and use one of them for SSL-VPN.  Use local-in-policy to block any SSL to the primary IP and allow it just to the secondary IP.  The SSL-VPN will tell you it is listening on the primary IP but it is actually listening on the interface and will accept the SSL connection on the secondary IP.

 

Not sure if there is a cleaner/better way to this.  Would love to hear it if there is.

lobstercreed
Valued Contributor

So I have a slightly different situation where I'm doing BGP with 2 different ISPs and want my SSL VPN to still work when one or the other goes down.  What I ended up doing is creating a loopback interface for my VPN to listen on and then creating a VIP from my public, BGP-announced subnet that NATs to that loopback IP.  I think that may be a cleaner option for both of y'all even though you're not necessarily dealing with the 2 ISPs issue.

Labels
Top Kudoed Authors